1# Copyright 2023 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15fullname:
16- spec
17shortname: spec
18description: ""
19type: object
20requirementlevel: Required
21children:
22- fullname:
23 - spec
24 - admissionWhitelistPatterns
25 shortname: admissionWhitelistPatterns
26 description: Optional. Admission policy allowlisting. A matching admission request
27 will always be permitted. This feature is typically used to exclude Google or
28 third-party infrastructure images from Binary Authorization policies.
29 type: list (object)
30 requirementlevel: Optional
31 children:
32 - fullname:
33 - spec
34 - admissionWhitelistPatterns
35 - '[]'
36 shortname: '[]'
37 description: ""
38 type: object
39 requirementlevel: Optional
40 children:
41 - fullname:
42 - spec
43 - admissionWhitelistPatterns
44 - '[]'
45 - namePattern
46 shortname: namePattern
47 description: An image name pattern to allowlist, in the form `registry/path/to/image`.
48 This supports a trailing `*` as a wildcard, but this is allowed only in text
49 after the `registry/` part.
50 type: string
51 requirementlevel: Optional
52 children: []
53 additionalproperties: []
54 additionalproperties: []
55 additionalproperties: []
56- fullname:
57 - spec
58 - clusterAdmissionRules
59 shortname: clusterAdmissionRules
60 description: 'Optional. Per-cluster admission rules. Cluster spec format: location.clusterId.
61 There can be at most one admission rule per cluster spec. A location is either
62 a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For clusterId
63 syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.'
64 type: 'map (key: string, value: object)'
65 requirementlevel: Optional
66 children: []
67 additionalproperties:
68 - fullname:
69 - spec
70 - clusterAdmissionRules
71 - enforcementMode
72 shortname: enforcementMode
73 description: 'Required. The action when a pod creation is denied by the admission
74 rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED, ENFORCED_BLOCK_AND_AUDIT_LOG,
75 DRYRUN_AUDIT_LOG_ONLY'
76 type: string
77 requirementlevel: RequiredWhenParentPresent
78 children: []
79 additionalproperties: []
80 - fullname:
81 - spec
82 - clusterAdmissionRules
83 - evaluationMode
84 shortname: evaluationMode
85 description: 'Required. How this admission rule will be evaluated. Possible values:
86 ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION'
87 type: string
88 requirementlevel: RequiredWhenParentPresent
89 children: []
90 additionalproperties: []
91 - fullname:
92 - spec
93 - clusterAdmissionRules
94 - requireAttestationsBy
95 shortname: requireAttestationsBy
96 description: ""
97 type: list (object)
98 requirementlevel: Optional
99 children:
100 - fullname:
101 - spec
102 - clusterAdmissionRules
103 - requireAttestationsBy
104 - '[]'
105 shortname: '[]'
106 description: ""
107 type: object
108 requirementlevel: Optional
109 children:
110 - fullname:
111 - spec
112 - clusterAdmissionRules
113 - requireAttestationsBy
114 - '[]'
115 - external
116 shortname: external
117 description: 'Allowed value: The Google Cloud resource name of a `BinaryAuthorizationAttestor`
118 resource (format: `projects/{{project}}/attestors/{{name}}`).'
119 type: string
120 requirementlevel: Optional
121 children: []
122 additionalproperties: []
123 - fullname:
124 - spec
125 - clusterAdmissionRules
126 - requireAttestationsBy
127 - '[]'
128 - name
129 shortname: name
130 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
131 type: string
132 requirementlevel: Optional
133 children: []
134 additionalproperties: []
135 - fullname:
136 - spec
137 - clusterAdmissionRules
138 - requireAttestationsBy
139 - '[]'
140 - namespace
141 shortname: namespace
142 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
143 type: string
144 requirementlevel: Optional
145 children: []
146 additionalproperties: []
147 additionalproperties: []
148 additionalproperties: []
149- fullname:
150 - spec
151 - defaultAdmissionRule
152 shortname: defaultAdmissionRule
153 description: Required. Default admission rule for a cluster without a per-cluster,
154 per-kubernetes-service-account, or per-istio-service-identity admission rule.
155 type: object
156 requirementlevel: Required
157 children:
158 - fullname:
159 - spec
160 - defaultAdmissionRule
161 - enforcementMode
162 shortname: enforcementMode
163 description: 'Required. The action when a pod creation is denied by the admission
164 rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED, ENFORCED_BLOCK_AND_AUDIT_LOG,
165 DRYRUN_AUDIT_LOG_ONLY'
166 type: string
167 requirementlevel: Required
168 children: []
169 additionalproperties: []
170 - fullname:
171 - spec
172 - defaultAdmissionRule
173 - evaluationMode
174 shortname: evaluationMode
175 description: 'Required. How this admission rule will be evaluated. Possible values:
176 ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION'
177 type: string
178 requirementlevel: Required
179 children: []
180 additionalproperties: []
181 - fullname:
182 - spec
183 - defaultAdmissionRule
184 - requireAttestationsBy
185 shortname: requireAttestationsBy
186 description: ""
187 type: list (object)
188 requirementlevel: Optional
189 children:
190 - fullname:
191 - spec
192 - defaultAdmissionRule
193 - requireAttestationsBy
194 - '[]'
195 shortname: '[]'
196 description: ""
197 type: object
198 requirementlevel: Optional
199 children:
200 - fullname:
201 - spec
202 - defaultAdmissionRule
203 - requireAttestationsBy
204 - '[]'
205 - external
206 shortname: external
207 description: 'Allowed value: The Google Cloud resource name of a `BinaryAuthorizationAttestor`
208 resource (format: `projects/{{project}}/attestors/{{name}}`).'
209 type: string
210 requirementlevel: Optional
211 children: []
212 additionalproperties: []
213 - fullname:
214 - spec
215 - defaultAdmissionRule
216 - requireAttestationsBy
217 - '[]'
218 - name
219 shortname: name
220 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
221 type: string
222 requirementlevel: Optional
223 children: []
224 additionalproperties: []
225 - fullname:
226 - spec
227 - defaultAdmissionRule
228 - requireAttestationsBy
229 - '[]'
230 - namespace
231 shortname: namespace
232 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
233 type: string
234 requirementlevel: Optional
235 children: []
236 additionalproperties: []
237 additionalproperties: []
238 additionalproperties: []
239 additionalproperties: []
240- fullname:
241 - spec
242 - description
243 shortname: description
244 description: Optional. A descriptive comment.
245 type: string
246 requirementlevel: Optional
247 children: []
248 additionalproperties: []
249- fullname:
250 - spec
251 - globalPolicyEvaluationMode
252 shortname: globalPolicyEvaluationMode
253 description: 'Optional. Controls the evaluation of a Google-maintained global admission
254 policy for common system-level images. Images not covered by the global policy
255 will be subject to the project admission policy. This setting has no effect when
256 specified inside a global admission policy. Possible values: GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED,
257 ENABLE, DISABLE'
258 type: string
259 requirementlevel: Optional
260 children: []
261 additionalproperties: []
262- fullname:
263 - spec
264 - istioServiceIdentityAdmissionRules
265 shortname: istioServiceIdentityAdmissionRules
266 description: 'Optional. Per-istio-service-identity admission rules. Istio service
267 identity spec format: spiffe:///ns//sa/ or /ns//sa/ e.g. spiffe://example.com/ns/test-ns/sa/default'
268 type: 'map (key: string, value: object)'
269 requirementlevel: Optional
270 children: []
271 additionalproperties:
272 - fullname:
273 - spec
274 - istioServiceIdentityAdmissionRules
275 - enforcementMode
276 shortname: enforcementMode
277 description: 'Required. The action when a pod creation is denied by the admission
278 rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED, ENFORCED_BLOCK_AND_AUDIT_LOG,
279 DRYRUN_AUDIT_LOG_ONLY'
280 type: string
281 requirementlevel: RequiredWhenParentPresent
282 children: []
283 additionalproperties: []
284 - fullname:
285 - spec
286 - istioServiceIdentityAdmissionRules
287 - evaluationMode
288 shortname: evaluationMode
289 description: 'Required. How this admission rule will be evaluated. Possible values:
290 ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION'
291 type: string
292 requirementlevel: RequiredWhenParentPresent
293 children: []
294 additionalproperties: []
295 - fullname:
296 - spec
297 - istioServiceIdentityAdmissionRules
298 - requireAttestationsBy
299 shortname: requireAttestationsBy
300 description: ""
301 type: list (object)
302 requirementlevel: Optional
303 children:
304 - fullname:
305 - spec
306 - istioServiceIdentityAdmissionRules
307 - requireAttestationsBy
308 - '[]'
309 shortname: '[]'
310 description: ""
311 type: object
312 requirementlevel: Optional
313 children:
314 - fullname:
315 - spec
316 - istioServiceIdentityAdmissionRules
317 - requireAttestationsBy
318 - '[]'
319 - external
320 shortname: external
321 description: 'Allowed value: The Google Cloud resource name of a `BinaryAuthorizationAttestor`
322 resource (format: `projects/{{project}}/attestors/{{name}}`).'
323 type: string
324 requirementlevel: Optional
325 children: []
326 additionalproperties: []
327 - fullname:
328 - spec
329 - istioServiceIdentityAdmissionRules
330 - requireAttestationsBy
331 - '[]'
332 - name
333 shortname: name
334 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
335 type: string
336 requirementlevel: Optional
337 children: []
338 additionalproperties: []
339 - fullname:
340 - spec
341 - istioServiceIdentityAdmissionRules
342 - requireAttestationsBy
343 - '[]'
344 - namespace
345 shortname: namespace
346 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
347 type: string
348 requirementlevel: Optional
349 children: []
350 additionalproperties: []
351 additionalproperties: []
352 additionalproperties: []
353- fullname:
354 - spec
355 - kubernetesNamespaceAdmissionRules
356 shortname: kubernetesNamespaceAdmissionRules
357 description: 'Optional. Per-kubernetes-namespace admission rules. K8s namespace
358 spec format: [a-z.-]+, e.g. ''some-namespace'''
359 type: 'map (key: string, value: object)'
360 requirementlevel: Optional
361 children: []
362 additionalproperties:
363 - fullname:
364 - spec
365 - kubernetesNamespaceAdmissionRules
366 - enforcementMode
367 shortname: enforcementMode
368 description: 'Required. The action when a pod creation is denied by the admission
369 rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED, ENFORCED_BLOCK_AND_AUDIT_LOG,
370 DRYRUN_AUDIT_LOG_ONLY'
371 type: string
372 requirementlevel: RequiredWhenParentPresent
373 children: []
374 additionalproperties: []
375 - fullname:
376 - spec
377 - kubernetesNamespaceAdmissionRules
378 - evaluationMode
379 shortname: evaluationMode
380 description: 'Required. How this admission rule will be evaluated. Possible values:
381 ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION'
382 type: string
383 requirementlevel: RequiredWhenParentPresent
384 children: []
385 additionalproperties: []
386 - fullname:
387 - spec
388 - kubernetesNamespaceAdmissionRules
389 - requireAttestationsBy
390 shortname: requireAttestationsBy
391 description: ""
392 type: list (object)
393 requirementlevel: Optional
394 children:
395 - fullname:
396 - spec
397 - kubernetesNamespaceAdmissionRules
398 - requireAttestationsBy
399 - '[]'
400 shortname: '[]'
401 description: ""
402 type: object
403 requirementlevel: Optional
404 children:
405 - fullname:
406 - spec
407 - kubernetesNamespaceAdmissionRules
408 - requireAttestationsBy
409 - '[]'
410 - external
411 shortname: external
412 description: 'Allowed value: The Google Cloud resource name of a `BinaryAuthorizationAttestor`
413 resource (format: `projects/{{project}}/attestors/{{name}}`).'
414 type: string
415 requirementlevel: Optional
416 children: []
417 additionalproperties: []
418 - fullname:
419 - spec
420 - kubernetesNamespaceAdmissionRules
421 - requireAttestationsBy
422 - '[]'
423 - name
424 shortname: name
425 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
426 type: string
427 requirementlevel: Optional
428 children: []
429 additionalproperties: []
430 - fullname:
431 - spec
432 - kubernetesNamespaceAdmissionRules
433 - requireAttestationsBy
434 - '[]'
435 - namespace
436 shortname: namespace
437 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
438 type: string
439 requirementlevel: Optional
440 children: []
441 additionalproperties: []
442 additionalproperties: []
443 additionalproperties: []
444- fullname:
445 - spec
446 - kubernetesServiceAccountAdmissionRules
447 shortname: kubernetesServiceAccountAdmissionRules
448 description: 'Optional. Per-kubernetes-service-account admission rules. Service
449 account spec format: namespace:serviceaccount. e.g. ''test-ns:default'''
450 type: 'map (key: string, value: object)'
451 requirementlevel: Optional
452 children: []
453 additionalproperties:
454 - fullname:
455 - spec
456 - kubernetesServiceAccountAdmissionRules
457 - enforcementMode
458 shortname: enforcementMode
459 description: 'Required. The action when a pod creation is denied by the admission
460 rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED, ENFORCED_BLOCK_AND_AUDIT_LOG,
461 DRYRUN_AUDIT_LOG_ONLY'
462 type: string
463 requirementlevel: RequiredWhenParentPresent
464 children: []
465 additionalproperties: []
466 - fullname:
467 - spec
468 - kubernetesServiceAccountAdmissionRules
469 - evaluationMode
470 shortname: evaluationMode
471 description: 'Required. How this admission rule will be evaluated. Possible values:
472 ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION'
473 type: string
474 requirementlevel: RequiredWhenParentPresent
475 children: []
476 additionalproperties: []
477 - fullname:
478 - spec
479 - kubernetesServiceAccountAdmissionRules
480 - requireAttestationsBy
481 shortname: requireAttestationsBy
482 description: ""
483 type: list (object)
484 requirementlevel: Optional
485 children:
486 - fullname:
487 - spec
488 - kubernetesServiceAccountAdmissionRules
489 - requireAttestationsBy
490 - '[]'
491 shortname: '[]'
492 description: ""
493 type: object
494 requirementlevel: Optional
495 children:
496 - fullname:
497 - spec
498 - kubernetesServiceAccountAdmissionRules
499 - requireAttestationsBy
500 - '[]'
501 - external
502 shortname: external
503 description: 'Allowed value: The Google Cloud resource name of a `BinaryAuthorizationAttestor`
504 resource (format: `projects/{{project}}/attestors/{{name}}`).'
505 type: string
506 requirementlevel: Optional
507 children: []
508 additionalproperties: []
509 - fullname:
510 - spec
511 - kubernetesServiceAccountAdmissionRules
512 - requireAttestationsBy
513 - '[]'
514 - name
515 shortname: name
516 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
517 type: string
518 requirementlevel: Optional
519 children: []
520 additionalproperties: []
521 - fullname:
522 - spec
523 - kubernetesServiceAccountAdmissionRules
524 - requireAttestationsBy
525 - '[]'
526 - namespace
527 shortname: namespace
528 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
529 type: string
530 requirementlevel: Optional
531 children: []
532 additionalproperties: []
533 additionalproperties: []
534 additionalproperties: []
535- fullname:
536 - spec
537 - projectRef
538 shortname: projectRef
539 description: Immutable. The Project that this resource belongs to.
540 type: object
541 requirementlevel: Required
542 children:
543 - fullname:
544 - spec
545 - projectRef
546 - external
547 shortname: external
548 description: |-
549 The project of the resource.
550
551 Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
552 type: string
553 requirementlevel: Optional
554 children: []
555 additionalproperties: []
556 - fullname:
557 - spec
558 - projectRef
559 - name
560 shortname: name
561 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
562 type: string
563 requirementlevel: Optional
564 children: []
565 additionalproperties: []
566 - fullname:
567 - spec
568 - projectRef
569 - namespace
570 shortname: namespace
571 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
572 type: string
573 requirementlevel: Optional
574 children: []
575 additionalproperties: []
576 additionalproperties: []
577additionalproperties: []
View as plain text